Always perform SSL verification for FortiTokenCloud Integration

This change turns on SSL verification for FortiTokenCloud integration.

Always perform SSL verification for FortiTokenCloud Integration
This change turns on SSL verification for FortiTokenCloud integration.
22a28ce9 · Manoj M J · 65865e17 · 22a28ce9 · 22a28ce9 · 22a28ce9
Commit 22a28ce9 authored Jan 19, 2021 by Manoj M J
3 changed files
--- a/changelogs/unreleased/security-ssl-verification-ftc.yml
+++ b/changelogs/unreleased/security-ssl-verification-ftc.yml
+---
+title: Perform SSL verification for FortiTokenCloud Integration
+merge_request:
+author:
+type: security
--- a/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
+++ b/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
@@ -61,8 +61,7 @@ module Gitlab
              headers: {
                'Content-Type': 'application/json'
              }.merge(headers),
-              body: body,
-              verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests.
+              body: body
            )
          end
        end

--- a/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
+++ b/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
  let(:otp_verification_url) { url + '/auth' }
  let(:access_token) { 'an_access_token' }
  let(:access_token_create_response_body) { '' }
+  let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } }
+  let(:headers) { { 'Content-Type': 'application/json' } }

  subject(:validate) { described_class.new(user).validate(otp_code) }

@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
      client_secret: client_secret
    )

-    access_token_request_body = { client_id: client_id,
-                                  client_secret: client_secret }
-
    stub_request(:post, access_token_create_url)
-      .with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' })
+      .with(body: JSON(access_token_request_body), headers: headers)
      .to_return(
        status: access_token_create_response_status,
        body: Gitlab::Json.generate(access_token_create_response_body),
@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
    end
  end

+  context 'SSL Verification' do
+    let(:access_token_create_response_status) { 400 }
+
+    context 'with `Gitlab::HTTP`' do
+      it 'does not use a `verify` argument,'\
+         'thereby always performing SSL verification while making API calls' do
+        expect(Gitlab::HTTP).to receive(:post)
+          .with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original
+
+        validate
+      end
+    end
+  end
+
  def stub_forti_token_cloud_config(forti_token_cloud_settings)
    allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings))
  end